kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manikumar (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (KAFKA-4411) broker don't have access to kafka zookeeper nodes
Date Fri, 01 Sep 2017 06:58:00 GMT

     [ https://issues.apache.org/jira/browse/KAFKA-4411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Manikumar resolved KAFKA-4411.
------------------------------
    Resolution: Not A Problem

 It is necessary to have the same principal name across all brokers for ZK Authentication.

> broker don't have access to kafka zookeeper nodes
> -------------------------------------------------
>
>                 Key: KAFKA-4411
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4411
>             Project: Kafka
>          Issue Type: Bug
>          Components: admin, config
>    Affects Versions: 0.9.0.1
>         Environment: Red Hat Enterprise Linux Server release 7.0 
> Java 1.8.0_66-b17 
> Kafka 0.9.0.1
>            Reporter: Mohammed amine GARMES
>            Priority: Critical
>              Labels: security
>   Original Estimate: 12h
>  Remaining Estimate: 12h
>
> I have 2 kafka servers configured to start with kafka security, I try to start the akfka
servers with the JASS below ==>
> server 1
>  KafkaServer {
>         com.sun.security.auth.module.Krb5LoginModule required
>         useKeyTab=true
>         storeKey=true
>         keyTab="/opt/kafka/config/kafka.keytab"
>         principal="kafka/kafka1.test.net@TEST.NET";
>     };
>     // ZooKeeper client authentication
>     Client {
>         com.sun.security.auth.module.Krb5LoginModule required
>         useKeyTab=true
>         storeKey=true
>         keyTab="/opt/kafka/config/kafka.keytab"
>         principal="kafka/kafka1.test.net@TEST.NET";
>     };
> server 2 :
> KafkaServer {
>     com.sun.security.auth.module.Krb5LoginModule required
>     useKeyTab=true
>     storeKey=true
>     keyTab="/opt/kafka/config/kafka.keytab"
>     principal="kafka/kafka2.test.net@TEST.NET";
> };
> // ZooKeeper client authentication
> Client {
>     com.sun.security.auth.module.Krb5LoginModule required
>     useKeyTab=true
>     storeKey=true
>     keyTab="/opt/kafka/config/kafka.keytab"
>     principal="kafka/kafka2.test.net@TEST.NET";
> };
> the problem:
> when I start the kafka server 1 all is fine, but when I try to start the second server
I have an issue because it haven't the access to the zookeeper node (/brokers) for kafka.
the all zookeeper path /brokers is blocked by the first server, so the second server haven't
the right access to write in this path .
> The ACL of /brokers is the fqdn of the first server, normally  should be open for all
and close ACL of the path /broker/ids/1, in this case the second server can write in /brokers
and close the /brokers/ids/2 for him.
> I founded a solution but I am not sure that the right solution, I create a new kakfa-kerberos
user, so for all server I use the same user :
> Server1
> KafkaServer {
>     com.sun.security.auth.module.Krb5LoginModule required
>     useKeyTab=true
>     storeKey=true
>     keyTab="/opt/kafka/config/kafka.keytab"
>     principal="kafka/kafka1.test.net@TEST.NET";
> };
> // ZooKeeper client authentication
> Client {
>     com.sun.security.auth.module.Krb5LoginModule required
>     useKeyTab=true
>     storeKey=true
>     keyTab="/opt/kafka/config/kafkaZk.keytab"
>     principal="kafka/kafkaZk.test.net@TEST.NET";
> };
> ________________________________________
> Server2
> KafkaServer {
>     com.sun.security.auth.module.Krb5LoginModule required
>     useKeyTab=true
>     storeKey=true
>     keyTab="/opt/kafka/config/kafka.keytab"
>     principal="kafka/kafka2.test.net@TEST.NET";
> };
> // ZooKeeper client authentication
> Client {
>     com.sun.security.auth.module.Krb5LoginModule required
>     useKeyTab=true
>     storeKey=true
>     keyTab="/opt/kafka/config/kafkaZk.keytab"
>     principal="kafka/kafkaZk.test.net@TEST.NET";
> };
> Can help me or clarify to me how I can use Kafka security correctly ?!!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message